What the Health Information Privacy Code update means for your practice
A change to how healthcare practices must handle patient information came into force on 1 May 2026. It closes a gap that has existed for years, and whether your practice can meet the new obligation depends in part on what your systems can do.
The short version: you now need to notify patients when health information arrives from another source, not just when you collect it directly. That means looking at your referral workflows, your practice management software, and how information moves through your systems.
This is not legal advice. But it is directly relevant to how IT systems and patient data interact, which is what we work with every day.
What changed
The Health Information Privacy Code has always required you to notify patients when collecting information directly from them - during intake, consultations, on forms. You tell them what you are collecting, why, and what their rights are.
The update extends that obligation. A new Rule 3A came into force on 1 May 2026, covering information that arrives from somewhere else - a referral, a lab result, records from a previous provider.
When that kind of information comes into your practice, the patient now has a right to know:
- That information has been collected about them
- Why it was collected
- Who the intended recipients are
- Who collected it and who holds it
- Their rights to access and correct it
There are practical exceptions - genuine emergencies, certain research uses, situations where the referring practice has already told the patient what they need to know about your collection of that information. It also does not apply retrospectively, so historical records you already hold are not affected.
If you want the detail, the Office of the Privacy Commissioner has the full text of the Code and the amendment at privacy.org.nz. For legal questions specific to your obligations, talk to a solicitor with health information privacy experience.
Where this gets complicated
The straightforward scenario is a referral arriving with a letter and some clinical notes. One provider, one transfer, clear source.
The harder scenarios are the ones baked into how modern healthcare IT works.
If you receive information through an integrated clinical platform - a shared records system, a regional health information exchange, automated lab results - the source of that information is not always obvious. Records arrive, get filed, and become part of the patient record without anyone necessarily stopping to ask where they came from and whether the patient knows you have them.
Your practice management software was not designed with this obligation in mind. Most systems have no mechanism to flag incoming third-party information, trigger a patient notification, or record that a notification was sent or that an exception applied. That is a workflow gap, and it is not one your PMS vendor is likely to solve in the near term.
The questions worth asking now
A few things worth working through with your team:
What comes in and from where? Referrals, lab results, records transfers, insurer or ACC correspondence - map the sources. Some will be straightforward. Others, particularly anything flowing through an integrated system, may be harder to account for.
Does your process include any patient notification step for incoming records? The honest answer for most practices is no, not in any formal or documented sense. That is the gap this rule is designed to close.
Can your practice management software support this? Whether it can trigger a notification, record that one was sent, or flag that an exception applied are questions worth putting to your software provider. The answer will shape what a workable process looks like.
Where exceptions apply, are you recording why? "Not reasonably practicable" is a judgement call. If that call is ever examined, having a record of the reasoning matters.
Why this sits at the IT level
Your clinical obligations and your IT infrastructure are more tangled than they used to be. A rule about notifying patients when their information arrives indirectly sounds like a governance or process question - and it is - but whether you can meet it, document it, and demonstrate it comes down to what your systems do.
We work with healthcare practices on exactly this. Not interpreting the law, but understanding how data moves through a practice, where the gaps are between what systems do and what obligations require, and what realistic process changes look like given the tools in use.
If this update has prompted questions about your own setup, we are happy to start there.